Setting up an online store in Spain has never been easier from a technical standpoint, but the legal side remains a wall that many merchants run into. The Law on Information Society Services (LSSI-CE), the General Data Protection Regulation (GDPR), the General Law for the Defence of Consumers and Users (TRLGDCU) and the Law on the Organisation of Retail Trade form a regulatory framework that applies to any company selling online in Spain, regardless of its size or whether it is a sole trader or a limited company. In this article we explain which documents you need, what information you must publish and what the consequences of non-compliance are, with data updated to 2026.
Which laws govern an online store in Spain?
Before detailing the requirements one by one, it is worth having a clear picture of the regulatory landscape. This is not a single law: there are at least four rules that overlap and affect different aspects of the digital business:
- LSSI-CE (Law 34/2002, of 11 July): governs who may provide information society services, what information must be published and how commercial communications by email must be handled.
- GDPR (EU Regulation 2016/679) and LOPDGDD (Organic Law 3/2018): protection of personal data of customers and users. Applies from the very first registration form or tracking cookie.
- TRLGDCU (Royal Legislative Decree 1/2007): consumer rights in distance contracts: mandatory pre-contractual information, 14-day right of withdrawal, delivery deadlines, warranties.
- Law 7/1998 on General Contracting Conditions: validity and requirements of terms and conditions of sale.
These rules are supplemented by the European Directives transposed by Spain: the Omnibus Directive (EU 2019/2161, in force since May 2022) strengthens digital consumer rights; the Digital Services Act (DSA, EU Regulation 2022/2065) imposes new transparency obligations on platforms.
Legal notice: the identity card of your online business
The legal notice is the first mandatory document required by Article 10 of the LSSI. It must be accessible at all times from any page of the website and must include at a minimum:
- Company name or full name of the owner.
- Registered address or contact address (a PO box is not sufficient).
- Tax identification number (NIF or CIF).
- Company registration details if it is a commercial company.
- Contact email address.
- Professional registration number if the activity is regulated (doctors, lawyers, pharmacists…).
- If VAT applies, prices must state whether it is included or not.
Failure to comply with Article 10 LSSI is classified as a minor infringement punishable by up to €30,000 under Article 38.1 of the same law. In practice, the Secretary of State for Digitalisation and Artificial Intelligence (SEDIA) — which has assumed competence in this area — has increased the number of proceedings initiated in recent years.
Privacy policy and GDPR: more than a copied text
Any online store collects personal data from the very first moment: when creating an account, processing an order, subscribing to a newsletter or simply installing Google Analytics. Article 13 of the GDPR requires informing the user before collecting their data about:
- Who is the data controller (identity and contact details).
- The purpose and legal basis of the processing (contract, legitimate interest, consent…).
- Whether data will be shared with third parties and with whom (payment gateways, shipping platforms, email marketing tools…).
- The data retention period.
- User rights: access, rectification, erasure, portability, objection and restriction.
- The right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
One aspect that many online stores overlook is the legal basis for processing. Not everything can be covered by consent; in most cases, the processing of data to perform a sales contract is based on Article 6.1.b of the GDPR (contractual performance), which means that explicit consent is not required for that data, but it is required for sending subsequent commercial communications.
For comprehensive data protection management in your store, our LSSI and e-commerce consultancy team prepares documentation tailored to your business model and guides you through implementation.
Cookie policy: the most frequently breached rule
The Guide on the use of cookies published by the AEPD in 2023 (revised in 2024) establishes that any website that installs or reads non-strictly necessary cookies must:
- Display a banner on the first visit that allows accepting, rejecting or configuring cookies before they are installed.
- Give the same prominence to the «reject» button as to the «accept» button.
- Not use dark patterns that make rejection difficult (hidden buttons, misleading colours, pre-selected options).
- Maintain a cookie policy accessible from the banner and from the footer with the complete list of cookies, their purpose and duration.
- Record consent and be able to demonstrate it to the AEPD if required.
The AEPD may sanction non-compliance in cookie matters as a GDPR infringement, with fines that can reach €10 million or 2% of global turnover (Article 83.4 of the GDPR), although in practice fines for SMEs range between €3,000 and €150,000 depending on the severity.
General terms and conditions of sale: the contract with your customer
The general contracting conditions are the document that governs the commercial relationship between your store and the customer. For distance contracts (which include online purchases), the TRLGDCU requires providing the consumer, before placing the order, with the following pre-contractual information:
- Main characteristics of the product or service.
- Identity of the seller and their full geographic address.
- Total price including all taxes and shipping costs.
- Payment, delivery and performance methods.
- Existence of the right of withdrawal and its conditions (deadline: 14 calendar days from receipt of the product).
- Duration of the contract if it is indefinite or a subscription.
- Dispute resolution procedure (EU Commission ODR platform if the website sells to EU consumers).
If you do not inform customers of their right of withdrawal, the period is automatically extended to 12 months under Article 105 of the TRLGDCU. This detail, unknown to many merchants, represents a significant legal risk if a customer makes a claim after the 14-day period.
Comparative table: mandatory documents under the regulations
| Document | Reference regulation | Mandatory for | Maximum penalty for non-compliance |
|---|---|---|---|
| Legal notice | LSSI art. 10 | Any website with economic activity | €30,000 (minor infringement) |
| Privacy policy | GDPR art. 13 / LOPDGDD | Any website processing personal data | Up to €20M or 4% of global turnover |
| Cookie policy | GDPR + AEPD Guide 2023 | Any website using non-essential cookies | Up to €10M or 2% of global turnover |
| General terms and conditions of sale | TRLGDCU + Law 7/1998 | Stores selling to end consumers | Up to €100,000 (TRLGDCU art. 49) |
| Pre-contractual information | TRLGDCU arts. 97-99 | All B2C distance contracts | Up to €100,000 + extended withdrawal period |
| ODR platform link | EU Regulation 524/2013 | Stores selling to EU consumers | Variable administrative infringement by region |
Specific requirements for the sale of certain products
In addition to the general framework, certain sectors have additional requirements that the online store must comply with:
Food and beverages
EU Regulation 1169/2011 on food information requires providing in the product listing the 14 allergens, nutritional information, ingredient list and country of origin for certain products. Alcoholic beverages with more than 1.2% vol. must indicate the alcohol content.
Electrical and electronic products
The product listing must include the energy label (EU Regulation 2017/1369 and its product-specific delegated regulations) and information about the WEEE waste management system (Royal Decree 110/2015). Since 2024, online distributors are required to inform consumers about the nearest collection point.
Cosmetics and medical devices
Governed by EU Regulation 1223/2009 (cosmetics) and EU Regulation 2017/745 (medical devices), they require specific information in the listing: INCI list, batch number, expiry date and, for medical devices, the CE number and the notified body.
Commercial communications and email marketing
Article 21 of the LSSI prohibits sending commercial communications by email without the prior consent of the recipient. This consent must be:
- Freely given: the user cannot be required to subscribe in order to complete an order.
- Specific: the user knows exactly what they are subscribing to.
- Informed: they are told who will send the communications and how frequently.
- Unambiguous: a pre-ticked checkbox is not valid.
The exception in Article 21.2 LSSI allows sending commercial communications to existing customers about products or services similar to those already purchased, provided that you have given them the opportunity to opt out in each communication.
Tax obligations and invoicing
The online store must issue an invoice to any customer who requests one and to all business customers (B2B). For sales to end consumers (B2C), it is mandatory to issue at least a purchase receipt or simplified invoice. If the store sells to customers in other European Union countries and exceeds €10,000 per year in intra-Community distance sales, it must register under the One Stop Shop (OSS) scheme with the AEAT to settle VAT in the consumer's country.
If your invoicing system needs to adapt to Verifactu or the mandatory B2B electronic invoice derived from the Crea y Crece Law, Summum Consultoría coordinates the legal and technical analysis together with the systems team.
Web accessibility: a real obligation since 2025
Law 11/2023 of 8 May (BOE-A-2023-11022), which transposes the European Accessibility Act (EAA, Directive 2019/882), requires e-commerce services to meet Level AA accessibility requirements (WCAG 2.1) for new services provided to consumers from 28 June 2025. This obligation applies to any online store selling to consumers in the EU, regardless of its size. Royal Decree 1112/2018 (EU Directive 2016/2102) applies to the public sector; the private sector is covered by Law 11/2023 and the EAA. Non-compliance can result in fines of up to €600,000 in the most serious cases.
Quick checklist before launching your store
Here are ten minimum checks you should carry out before activating sales:
- Visible and complete legal notice (LSSI art. 10).
- Privacy policy updated to the GDPR with the legal basis for each processing activity.
- Cookie banner compliant with the AEPD Guide 2023 with an equally visible rejection option.
- General terms and conditions of sale with the 14-day right of withdrawal clearly stated.
- Prices shown VAT-inclusive with indication of shipping costs before completing the order.
- Withdrawal form available for download (required by TRLGDCU art. 102).
- Link to the European Commission ODR platform in the footer.
- Newsletter subscription form with explicit consent and no pre-ticked box.
- Record of processing activities (GDPR art. 30) documented internally.
- Data processing agreements with processors (payment gateway, logistics platform, email marketing tool).
Frequently asked questions
Does a small online store or sole trader have the same obligations as a large company?
Yes, in essence. The LSSI, the GDPR and the TRLGDCU apply regardless of business size. The only relevant difference is that the GDPR sets thresholds for some additional obligations (such as the Data Protection Officer or impact assessment), which most small online stores do not reach. But the legal notice, privacy policy, cookies and terms of sale are mandatory from day one, for any merchant.
What happens if I copy the legal texts from another store?
It is a common mistake with two consequences. First, the copied texts probably do not match your specific business model (your products, your shipping timelines, your payment providers). Second, if the other store had incorrect texts, you inherit their non-compliance too. In the event of an inspection or a customer complaint, generic or copied texts do not demonstrate that you have met your information obligations. There may also be a copyright infringement regarding the copied texts.
How often should legal texts be updated?
Whenever the circumstances they document change: new service providers processing data, changes in cookie policy when adding new analytics or advertising tools, changes in shipping or return conditions, regulatory changes. In practice, an annual review is a reasonable minimum; in an active digital environment, reviewing them every six months is advisable. The AEPD publishes guides and resolutions periodically that may affect the wording of the privacy and cookie policies.
Do I need a DPO (Data Protection Officer) for my online store?
For most small and medium-sized online stores, it is not mandatory to appoint a DPO. Article 37 of the GDPR requires it when data processing is carried out on a large scale, when special categories of data (health, ideology, religion…) are processed systematically, or when the main activity involves the systematic monitoring of individuals. However, if your store operates in sectors such as health, food for vulnerable groups or subscription products with intensive profiling, it is worth analysing whether the threshold is exceeded. You can find more information in our guide on external DPO.